LUKS disk encryption plugin

  • wipe it in the Physical Disks tab. There is no way to do this without moving data off it first though.

    Thanx! but its really inconvenient.

    Bitlocker or VeraCrypt on Win can permanent decrypt.

    And there is a lot of data there, I will think about how best to implement it.


    I noticed that the performance of Luks encrypted disks drops significantly.

    OMV 6.
    Motherboard: Intel DP55WG
    CPU: Intel Xeon X3470
    12GB DDR3 RAM
    WD Black WD5000LPSX - system
    WD Blue 4GB x4 - RAID 10
    500GB SSD x2 - RAID 1 for VM's and Docker containers

    • Official Post

    but its really inconvenient.

    Bitlocker or VeraCrypt on Win can permanent decrypt.

    They work different. LUKS creates a block device and you put a filesystem on top of that. The others are on top of or part of the filesystem. Not much we can do.

    omv 7.4.14-1 sandworm | 64 bit | 6.11 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.15 | compose 7.2.16 | k8s 7.3.1-1 | cputemp 7.0.2 | mergerfs 7.0.5 | scripts 7.0.9


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • I'm unable to add extra keys to my encrypted drive.


    I'm getting a Test key error "no key available with this passphrase. Command failed with code -2 (no permission or bad passphrase).


    Drive appears to encrypt successfully. I use the unlock icon and enter passphrase. It seems to accept it and the lock icon shows blue, as well as the keys icon (however, I don't get a tick mark under unlocked in the table below). But when I test the keys (1 slot in use) I get the error.


    Further, I am able to select the encrypted drive to create and mount a file system. When creating a file system to shows the drive as encrypted.


    Suggestions?


    omv system details:

    omv 6.9.1-1. 64bit, kernel 6.1.0-0

    nuc celeron N3050

    plugins: extras 6.3.1, flashmemory, Wetty, compose, lucksencryption 6.0, resetperms, sharerootfs, symlinks

    1 x 4Tib SSD

    64Gib USB OS drive

    • Official Post

    Suggestions?

    Does your passphrase have any $ or ' or " in it?

    omv 7.4.14-1 sandworm | 64 bit | 6.11 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.15 | compose 7.2.16 | k8s 7.3.1-1 | cputemp 7.0.2 | mergerfs 7.0.5 | scripts 7.0.9


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Does your passphrase have any $ or ' or " in it?

    I removed those characters but then got 500 error.


    Decided to change everything: cypher, label, and password (I used no special characters).


    Now able to add keys however, I still don't get a tick mark when the drive is unlocked.(blue padlock work though). A bug? And for feedback, when I test a key the dialog box just disappears rather than returning 'okay' or something'. (which would be useful).


    Anyway, everything appears to be working many thanks for your very speedy and helpful assistance!

    • Official Post

    And for feedback, when I test a key the dialog box just disappears rather than returning 'okay' or something'. (which would be useful).

    I can't. I can only return errors. So, the lack of errors has to signify success.


    I still don't get a tick mark when the drive is unlocked.

    I haven't changed the plugin or tested it in 7+ months. I will have to see if I still have a test system setup.

    omv 7.4.14-1 sandworm | 64 bit | 6.11 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.15 | compose 7.2.16 | k8s 7.3.1-1 | cputemp 7.0.2 | mergerfs 7.0.5 | scripts 7.0.9


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Backing up and restoring the header
    The header on a LUKS-encrypted device contains details of the encryption method and cipher, and also the master key needed for en-/decryption, itself encrypted by up to 8 passphrases, stored in key slots 0-7. It is advisable to make a backup of the header whenever you create an encrypted device or add, remove or change any of the passphrases. If the header or any of the key slots become corrupt (or you accidentally remove all the keys! - see above), you can restore the header from a backup, which will restore the passphrases as they were in the backup.

    Does the plugin allow for the backing up of headers or is this a suggestion that you should do it in the CLI? I can't find how to do it from the plugin.

    • Official Post

    Does the plugin allow for the backing up of headers or is this a suggestion that you should do it in the CLI? I can't find how to do it from the plugin.

    It used to but I couldn't port that function to OMV 6. So, you will have to do it from the command line.

    omv 7.4.14-1 sandworm | 64 bit | 6.11 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.15 | compose 7.2.16 | k8s 7.3.1-1 | cputemp 7.0.2 | mergerfs 7.0.5 | scripts 7.0.9


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Official Post

    How often do you change passphrases? This should be a one time thing.

    omv 7.4.14-1 sandworm | 64 bit | 6.11 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.15 | compose 7.2.16 | k8s 7.3.1-1 | cputemp 7.0.2 | mergerfs 7.0.5 | scripts 7.0.9


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Official Post

    Would've been nice if it was still available from the webui that's all.

    I would've ported it if it was possible.

    omv 7.4.14-1 sandworm | 64 bit | 6.11 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.15 | compose 7.2.16 | k8s 7.3.1-1 | cputemp 7.0.2 | mergerfs 7.0.5 | scripts 7.0.9


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Official Post

    Out of curiosity what changed that made it impossible or not practical?

    The web interface framework changed between OMV 5.x and 6.x. Plugins are created with declarative yaml and there is no file save type of component in this framework.

    omv 7.4.14-1 sandworm | 64 bit | 6.11 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.15 | compose 7.2.16 | k8s 7.3.1-1 | cputemp 7.0.2 | mergerfs 7.0.5 | scripts 7.0.9


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • I can Lock/Unlock my encrypted drive okay but can't successfully test my key or add keys.


    For testing my key I get (I've replaced it below with <my_password>):


    500 - OK error

    Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C.UTF-8; export LANGUAGE=; /bin/bash -c 'echo -n '<my_password>' | cryptsetup luksOpen -v --test-passphrase '/dev/sde' --key-file=-' 2>&1' with exit code '2':



    -----

    I'm on OMV6 and all updates are installed.

    • Official Post

    Does your password have a ' or " or $ in it?

    omv 7.4.14-1 sandworm | 64 bit | 6.11 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.15 | compose 7.2.16 | k8s 7.3.1-1 | cputemp 7.0.2 | mergerfs 7.0.5 | scripts 7.0.9


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Hi Y'all,

    A quick question:


    Can LUKS be installed on on a disk already in service or does the drive need to be reformatted to make use of LUKS?


    Thanks,
    Phil

    • Official Post

    Can LUKS be installed on on a disk already in service or does the drive need to be reformatted to make use of LUKS?

    The latter. LUKS creates a block device that you create a filesystem on. There is no way to do this without wiping the disk.

    omv 7.4.14-1 sandworm | 64 bit | 6.11 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.15 | compose 7.2.16 | k8s 7.3.1-1 | cputemp 7.0.2 | mergerfs 7.0.5 | scripts 7.0.9


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Does your password have a ' or " or $ in it?

    No. But it does have other math symbol characters. I tried adding a purely alphanumeric key but it wouldn't accept it, presumably because I had to use my current key (which won't pass when checked).


    Does this mean I have to wipe the drive and encrypt again with new keys?


    Edit: I've got a very bad memory - I see by my own earlier post (RE: LUKS disk encryption plugin), using pure alphanumeric passphrase would fix it - but I'd rather not wipe the drive now since it would mean losing a day's work

    • Official Post

    Does this mean I have to wipe the drive and encrypt again with new keys?


    Edit: I've got a very bad memory - I see by my own earlier post (RE: LUKS disk encryption plugin), using pure alphanumeric passphrase would fix it - but I'd rather not wipe the drive now since it would mean losing a day's work

    No. LUKS can have 8 slots for passwords and any of them can unlock the container. Just add another slot or change the passphrase from the command line.

    omv 7.4.14-1 sandworm | 64 bit | 6.11 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.15 | compose 7.2.16 | k8s 7.3.1-1 | cputemp 7.0.2 | mergerfs 7.0.5 | scripts 7.0.9


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!